Documentation
¶
Overview ¶
Package logging provides a stdlib-only slog.Handler decorator that scrubs sensitive values from log attributes before they reach the underlying handler. Operators can wrap any slog.Handler with NewRedactingHandler to gain defence-in-depth PII/secret redaction without modifying call sites.
The redactor matches by attribute key (case-insensitive) against a list of well-known secret field names and replaces the value with a short mask. Nested map, slog.Group, and []any values are walked recursively.
This is a belt-and-braces layer. Hot-path code should still avoid logging secrets explicitly; the redactor exists so that a future code change which accidentally includes a header map or error body in a log statement does not leak credentials.
Index ¶
- Variables
- type RedactingHandler
- func (h *RedactingHandler) Enabled(ctx context.Context, level slog.Level) bool
- func (h *RedactingHandler) Handle(ctx context.Context, r slog.Record) error
- func (h *RedactingHandler) WithAttrs(attrs []slog.Attr) slog.Handler
- func (h *RedactingHandler) WithGroup(name string) slog.Handler
- func (h *RedactingHandler) WithMask(mask string) *RedactingHandler
- func (h *RedactingHandler) WithSensitiveKeyBoundaryMatching() *RedactingHandler
- func (h *RedactingHandler) WithSensitiveKeys(keys ...string) *RedactingHandler
Constants ¶
This section is empty.
Variables ¶
var DefaultSensitiveKeys = []string{
"authorization",
"api_key",
"apikey",
"x-api-key",
"bearer",
"token",
"secret",
"password",
"passphrase",
"cookie",
"set-cookie",
"credential",
"session_token",
"session_id",
"session_secret",
"csrf_token",
"private_key",
"privatekey",
"client_secret",
"refresh_token",
"access_token",
"id_token",
"x-addon-token",
}
DefaultSensitiveKeys is the built-in list of attribute keys whose values will be masked. Case-insensitive, substring match.
Functions ¶
This section is empty.
Types ¶
type RedactingHandler ¶
type RedactingHandler struct {
// contains filtered or unexported fields
}
RedactingHandler wraps a slog.Handler and scrubs sensitive values from attributes before delegating to the inner handler.
func NewRedactingHandler ¶
func NewRedactingHandler(inner slog.Handler) *RedactingHandler
NewRedactingHandler wraps inner with the default sensitive-key list and "[REDACTED]" as the replacement value.
func (*RedactingHandler) Handle ¶
Handle scrubs the record's attributes in-place before forwarding to the inner handler. Because slog.Record's Attrs method walks a shared slice we build a new record with the scrubbed attrs.
func (*RedactingHandler) WithAttrs ¶
func (h *RedactingHandler) WithAttrs(attrs []slog.Attr) slog.Handler
WithAttrs scrubs the static attrs applied at handler construction time.
func (*RedactingHandler) WithGroup ¶
func (h *RedactingHandler) WithGroup(name string) slog.Handler
WithGroup delegates to the inner handler.
func (*RedactingHandler) WithMask ¶
func (h *RedactingHandler) WithMask(mask string) *RedactingHandler
WithMask returns a copy that uses a different replacement string.
func (*RedactingHandler) WithSensitiveKeyBoundaryMatching ¶
func (h *RedactingHandler) WithSensitiveKeyBoundaryMatching() *RedactingHandler
WithSensitiveKeyBoundaryMatching returns a copy that only matches configured sensitive keys at identifier boundaries. The default remains substring matching because it is safer for generic log redaction; this opt-in mode is for callers that can tolerate maintaining a more explicit key list and want to avoid false positives such as "tokenizer_results".
func (*RedactingHandler) WithSensitiveKeys ¶
func (h *RedactingHandler) WithSensitiveKeys(keys ...string) *RedactingHandler
WithSensitiveKeys returns a copy that matches additional key patterns. Existing defaults are retained; pass a new handler with WithMask to replace the mask string.